Advanced protection strategy

Last updated: 2020-02-17 10:17:54

PDF

DDoS High Defense IP provides advanced protection policy against DDoS attacks. Users can adjust and optimize DDoS protection policy according to their business protection needs. Provide targeted protection for the business through Blacklist/Whitelist, disabling Protocol, disabling ports, message feature filtering strategy, connection exhaustion protection, watermark protection and other features.

Introduction to configuration items

Configuration Item Functional introduction Effective time
Blacklist/Whitelist Protection based on IP address level.
  • The whitelist IP, Access will be directly pass without being filtered by any protection strategy.
  • The blacklist of IP, Access will be blocked directly.
Takes effect when the protected IP is in the state of being attacked.
Disable protocol Protocol, which is not used in business, can be prohibited.
When an attack is detected, the Dayu High Defense Cluster will wash out Protocol's Traffic.
Takes effect when the protected IP is in the state of being attacked.
Disable port Ports that are not used by the business can be disabled.
When an attack is detected, the Dayu High Defense Cluster will wash out the Traffic of the port.
Takes effect when the protected IP is in the state of being attacked.
Message filtering feature According to the characteristics of business message or attack message, Protocol, port range, packet length range, whether to detect load, offset, check depth, including feature string and other conditions can be combined to set policy actions.
When it is detected that the message matches the policy condition, operations such as direct repost, discarding, blocking the source IP or disconnecting can be performed.
Takes effect when the protected IP is in the state of being attacked.
Speed limit Based on the protection of IP, the speed limit of Access and Protocol is controlled. Takes effect when the protected IP is in the state of being attacked.
Reject overseas traffic TCP Traffic requests from outside China (Mainland China region, Hong Kong, Macao and Taiwan) can be rejected. Takes effect when the protected IP is in the state of being attacked.
Connection exhaustion protection Based on the protection of IP address, the parameters such as connection speed and packet length of IP accessing non-website services with high defense IP are limited to achieve the protection function of alleviating the connection attack of little Traffic. Takes effect when the protected IP is in the state of being attacked.
Abnormal connection detection When a TCP connection received by a source IP meets the configured parameter characteristics, it will be judged as an abnormal connection. At the same time, when the number of abnormal connections received by the source IP exceeds the maximum number of abnormal connections set, it will be added to the blacklist for a certain period of time and prohibited by Access. Takes effect when the protected IP is in the state of being attacked.
Watermark Protection UDP and TCP messages are supported, and their payloads are used for watermark detection and stripping within the configured port range. By accessing watermark protection, you can effectively and comprehensively protect against layer 4 CC attacks, such as simulated service message attacks and replay attacks.
  • The business end and Tencent Cloud Dayu security protection system share the watermarking algorithm and key.
  • Each message sent by the client has the watermark feature embedded, while the attack message has no watermark feature.
  • The Dayu security protection system will identify the attack message and discard it.
Takes effect when the protected IP is in the state of being attacked.

Add Policy

The advanced security protection policy feature is professional to a certain extent. It is recommended that users with relevant experience configure it according to the actual situation after reading the following Operation Guide.

Login DDoS Protection Management console Select * * DDoS High Defense IP * *-> * * Defense configuration * *. On the * * DDoS Advanced Protection Policy * * tab, click * * add New Policy * *. Set the following parameters according to the actual business requirements, and click "OK".

  • Policy Name
    Enter a policy name with 1-32 characters.
  • Blacklist/Whitelist
  • To set up a blacklist: click * * add * * and select * * blacklist * *. When Enter needs Block's IP, with multiple IP, you can enter all of them and use enter to separate multiple IP, and click * * OK * *.
  • To set a whitelist: click * * add * * and select * * whitelist * *. When Enter needs pass's IP, with multiple IP, you can enter all of them and use enter to separate multiple IP, and click * * OK * *.

The sum of black and white IP lists supports adding up to 100 IP,. The number of IP added in batches is not allowed to exceed the current quota.

  • Disable protocol
    Select Protocol that needs to be disabled. Optionally disable Protocol have ICMP, TCP, UDP and other Protocol. The other Protocol here refers to Protocol except ICMP, TCP, and UDP.
  • Disable port
    Select Protocol and the port type, and then Enter corresponds to the port that needs to be disabled. If only one port needs to be disabled in a record, the start port number and end port number Enter have the same value. Click [add] at the bottom of the list to add new records. Protocol includes two kinds of Protocol, TCP and UDP, and the port types include destination port, source port, destination port and source port.
  • Message filtering feature
    Set conditions such as the protocol, port range, packet length, payload detection, offset, detection depth, and featured strings.
  • Offset: indicates the location of the feature that begins to match in the content of the message.
  • Check depth: used with the offset to indicate the length of the message content that matches backwards from the position set by the offset.
  • Strategy:
    • "drop message" means to discard packets that match the filtering characteristics of the message.
    • "discard and block the source IP" means to discard packets that match the filter characteristics of the message and block the source IP temporarily for a period of time.
    • "drop and disconnect" means to discard packets that match the filter characteristics of the message and disconnect the TCP connection.
    • "discard, disconnect and block the source IP" means to discard packets that match the filtering characteristics of the message, while disconnecting the TCP connection and blackening the source IP temporarily for a period of time.
    • "Direct repost" means that direct repost matches the packet with the filtering characteristics of the message.
  • Speed limit
    Click "add", select Protocol who needs the speed limit, and set the speed limit threshold. Protocol who supports the speed limit includes ICMP, TCP, UDP and other Protocol. The other Protocol here refers to Protocol except ICMP, TCP and UDP.
  • Reject overseas traffic
    Check on or off. The defense engine of DDoS High Defense IP has a built-in overseas IP library. When rejecting overseas Traffic is enabled, the source will be judged and blocked based on this IP library. When you check [enable], you need to be in the state of being attacked before it takes effect. Effective immediately when [close] is checked.
  • Connection exhaustion protection
  • Null connection protection Check on or off. When you check [enable], you need to be in the state of being attacked before it takes effect. Due to the implementation based on the principle of TCP Proxy, it may have an impact on the first Access experience of the business.
  • Source Create connection speed limit Check on or off. When [on] is checked, set the suppression rate (unit: unit / second), which can be filled in the range of 0-∞. Indicates that the connection rate of a single source IP is Create per second, and Create connections that exceed the limit will be discarded.
  • Source Concurrence connection speed limit Check on or off. When [on] is checked, set the number of suppression (in units), which can be filled in the range of 0-∞. Indicates the number of Concurrence connections to a single source IP. Concurrence connections that exceed the limit will be discarded.
  • Objective Create connection speed limit Check on or off. When [on] is checked, set the suppression rate (unit: unit / second), which can be filled in the range of 0-∞. Indicates the maximum Create connection rate of the destination IP per second. Create connections that exceed the limit will be discarded. Due to the protection of Device for the cluster deployment, there is a certain error in the speed limit of Create connection.
  • Objective Concurrence connection speed limit Check on or off. When [on] is checked, set the number of suppression (in units), which can be filled in the range of 0-∞. Indicates the maximum number of Concurrence connections in the destination IP. Concurrence connections that exceed the limit will be discarded. Due to the protection of Device for the cluster deployment, there is a certain error in the speed limit of Concurrence connection.
  • Abnormal connection detection
  • Maximum number of abnormal connections to the source IP Click * * enable * *, and the maximum number of abnormal connections in Enter source IP can be entered within the range of 0-∞ (in units). Indicates that when a source IP meets the number of connections identified by abnormal connection behavior and exceeds the specified threshold, it will be considered as the source of abnormal attack and will be limited to Access within a certain period of time.

The following parameters can be configured only if the maximum number of abnormal connections in the open source IP is enabled.

  • Syn message occupancy detection Check on or off. When "enable" is checked, set the ratio of Syn messages to 100. Indicates that when the ratio of the number of Syn messages to the number of Ack messages in an TCP connection exceeds the configured threshold, it will be identified as an abnormal connection.

  • Syn message count detection Check on or off. When "enable" is checked, set the maximum number of messages, which can be filled in a range of 0mur65535. Indicates that when the number of Syn messages in a TCP connection exceeds the configured maximum number of messages, it will be identified as an abnormal connection.

  • Connection timeout detection Check on or off. When [enable] is checked, set the detection period (in seconds), which can be filled in a range of 0mi 65535. Indicates that an abnormal connection is determined if there is no message transmission within the set time after a TCP connection is created.

  • Abnormal null session detection Check on or off. Indicates that there is no message transmission with load after a TCP connection is created, which is judged to be an abnormal connection.

  • Watermark Protection
    Click "enable" to configure watermark protection. Click "OK" to enable the watermark protection feature of the TCP Protocol defense port and the UDP Protocol defense port specified by Enter. After the DDoS advanced protection policy is added, a key information is automatically generated, and you need to complete the offline client access watermark configuration.

  • TCP Protocol protection port, UDP Protocol protection port
    TCP/UDP protection ports can be configured with up to 5 port segments; different port segments cannot overlap with each other; if the port number is the same, it is considered to be a port; at least one port segment of TCP or UDP Protocol needs to be configured.

The UDP watermark can be stripped only when the UDP Protocol port segment is configured, and the offset of the watermark label in the UDP message can be specified.

  • UDP watermark stripping
    Check [automatically peel off UDP message watermark]. After passing through the Dayu high defense system, the data message is automatically stripped of the watermark in the UDP message and then forwarded to real server.

If the Dayu security protection system is not required to peel off the UDP Protocol watermark, the client still needs to do the modification of stripping the watermark.

  • Offset
    Specifies the offset of the watermark label in the UDP message. The default is 0, and the range that can be filled is 0Mu99. The offset works only when UDP watermark stripping is enabled.

Bind with Unbind resources

Login DDoS Protection Management console Select * * DDoS High Defense IP * *-> * * Defense configuration * *. On the * * DDoS Advanced Defense Policy * * tab, click * * bind Resources * * on the line of the target policy.

  • Bind resources: in the pop-up "bind Resources" dialog box, select one or more resources according to the actual business requirements, and click "OK".
  • Unbind Resources: in the pop-up "bind Resources" dialog box, click the right side of the selected resources in the "selected" area according to the actual business needs. Click [OK].

Client access watermark.

Login DDoS Protection Management console Select * * DDoS High Defense IP * *-> * * Defense configuration * *. On the "DDoS Advanced Protection Policy" tab, click "Watermark client File download" on the line of the target policy, and complete the offline connection of the client.

Add, delete, or disable / enable watermark keys

Login DDoS Protection Management console Select * * DDoS High Defense IP * *-> * * Defense configuration * *. On the * * DDoS Advanced Protection Policy * * tab, click * * Watermark key configuration * * on the line of the target policy.

  • Add Key In the pop-up "key Information" dialog box, click "add key" to generate a new key immediately.
  • Deactivate / enable key Deactivate or enable the key is supported In the pop-up * * key Information * * dialog box, click * * disable * * on the line where the destination key is located, or click * * enable * * if you need to reopen it.
  • Delete Key Only deactivated keys can be deleted In the pop-up key Information dialog box, click Delete on the line of the destination key.

There can be up to 2 keys. If you need to add a new key, delete one of the old keys first; when only one key is in effect, it cannot be deactivated or deleted.

Configure policy

Login DDoS Protection Management console Select * * DDoS High Defense IP * *-> * * Defense configuration * *. On the * * DDoS Advanced Protection Policy * * tab, click * * configuration * * on the line of the target policy. Update the following parameters according to the actual business requirements, and click "OK" to save the changes.

When the destination policy is named in the form of "business scenario name _ policy_ serial number", the policy name cannot be modified.

  • Policy Name
  • Blacklist/Whitelist
  • Disable protocol
  • Disable port
  • Message filtering feature
  • Reject overseas traffic
  • Connection exhaustion protection
  • Abnormal connection detection
  • Watermark Protection

Deleting a policy

  • Policies that are not bound to resources can be deleted directly. Policies with bound resources need to delete all resources first, Unbind.
  • If the UDP watermark stripping switch is enabled, the deletion policy will turn off the UDP watermark stripping switch synchronously. Make sure that the business client and server have completed the corresponding configuration or changes, and then perform the deletion operation.
  • Resume is not allowed after the policy is deleted, please operate with caution.
  • You cannot delete advanced protection policies that are automatically generated based on user-created business scenarios.

Login DDoS Protection Management console Select * * DDoS High Defense IP * *-> * * Defense configuration * *. On the * * DDoS Advanced Protection Policy * * tab, click * * Delete * * on the row of the target policy. In the pop-up dialog box, click OK.